CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 44 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7293 | Hig | 0.54 | 7.8 | 0.03 | Apr 26, 2017 | The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM. This affects Dolby Audio X2 (DAX2) 1.0, 1.0.1, 1.1, 1.1.1, 1.2, 1.3, 1.3.1,… | ||
| CVE-2026-48853 | Cri | 0.53 | — | 0.01 | Jun 15, 2026 | Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it,… | ||
| CVE-2026-42687 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions. | ||
| CVE-2026-27333 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions. | ||
| CVE-2026-41699 | Hig | 0.53 | 8.1 | 0.00 | Jun 11, 2026 | Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the… | ||
| CVE-2026-41732 | Hig | 0.53 | 8.1 | 0.00 | Jun 10, 2026 | JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a… | ||
| CVE-2026-41855 | Hig | 0.53 | 8.1 | 0.00 | Jun 9, 2026 | In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class… | ||
| CVE-2026-39555 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1. | ||
| CVE-2026-39551 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1. | ||
| CVE-2026-39550 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6. | ||
| CVE-2026-44843 | Hig | 0.53 | 8.2 | 0.00 | May 26, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths… | ||
| CVE-2026-7647 | Hig | 0.53 | 8.1 | 0.00 | May 2, 2026 | The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the… | ||
| CVE-2026-6023 | Hig | 0.53 | 8.1 | 0.01 | Apr 22, 2026 | In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code… | ||
| CVE-2026-23971 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8. | ||
| CVE-2026-22510 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3. | ||
| CVE-2026-22505 | — | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2. | |
| CVE-2026-27096 | Hig | 0.53 | 8.1 | 0.00 | Mar 19, 2026 | Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3. | ||
| CVE-2026-2626 | Hig | 0.53 | 8.1 | 0.00 | Mar 11, 2026 | The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data,… | ||
| CVE-2026-27369 | Hig | 0.53 | 8.1 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6. | ||
| CVE-2026-27098 | Hig | 0.53 | 8.1 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2. |
- risk 0.54cvss 7.8epss 0.03
The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM. This affects Dolby Audio X2 (DAX2) 1.0, 1.0.1, 1.1, 1.1.1, 1.2, 1.3, 1.3.1,…
- risk 0.53cvss —epss 0.01
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it,…
- risk 0.53cvss 8.1epss 0.00
Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
- risk 0.53cvss 8.1epss 0.00
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
- risk 0.53cvss 8.1epss 0.00
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the…
- risk 0.53cvss 8.1epss 0.00
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a…
- risk 0.53cvss 8.1epss 0.00
In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class…
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6.
- risk 0.53cvss 8.2epss 0.00
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths…
- risk 0.53cvss 8.1epss 0.00
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the…
- risk 0.53cvss 8.1epss 0.01
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code…
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
- risk 0.53cvss 8.1epss 0.00
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data,…
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.
- risk 0.53cvss 8.1epss 0.00
Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.